Home | History | Annotate | Download | only in Instrumentation

Lines Matching defs:Shadow

14 /// (http://goo.gl/QKbem). We associate a few shadow bits with every
15 /// byte of the application memory, poison the shadow of the malloc-ed
16 /// or alloca-ed memory, load the shadow bits on every memory read,
17 /// propagate the shadow bits through some of the arithmetic
18 /// instruction (including MOV), store the shadow bits on every memory
20 /// associated shadow is poisoned.
30 /// Another difference from Memcheck is that we use 8 shadow bits per
31 /// byte of application memory and use a direct shadow mapping. This
33 /// shadow updates (Memcheck is single-threaded so races are not a
34 /// concern there. Memcheck uses 2 shadow bits per byte with a slow
37 /// The default value of shadow is 0, which means "clean" (not poisoned).
40 /// shadow memory is ready. On error, __msan_warning is called. Since
42 /// specialized thread-local shadow for return values
52 /// They are stored in a second shadow mapping, one 4-byte value for 4 bytes
71 /// corresponding shadow location in an atomic way. Unfortunately, atomic store
77 /// not the other way around. We load the shadow _after_ the application load,
78 /// and we store the shadow _before_ the app store. Also, we always store clean
79 /// shadow (if the application store is atomic). This way, if the store-load
80 /// pair constitutes a happens-before arc, shadow store and load are correctly
86 /// must store the new shadow before the app operation, and load the shadow
90 /// clean shadow.
158        cl::desc("propagate shadow through ICmpEQ and ICmpNE"),
165 // This flag controls whether we check the shadow of the address
172        cl::desc("report accesses through a pointer which has poisoned shadow"),
187 // This is an experiment to enable handling of cases where shadow is a non-zero
190 static cl::opt<bool> ClCheckConstantShadow("msan-check-constant-shadow",
191        cl::desc("Insert checks for constant shadow values"),
199 // Memory map parameters used in application-to-shadow address calculation.
201 // Shadow = ShadowBase + Offset
328   /// \brief Thread-local shadow storage for function parameters.
332   /// \brief Thread-local shadow storage for function return value.
336   /// \brief Thread-local shadow storage for in-register va_arg function
339   /// \brief Thread-local shadow storage for va_arg overflow area
363   /// \brief Memory map parameters used in application-to-shadow calculation.
563 /// necessary to propagate argument shadow through VarArg function
598 /// instructions store and load corresponding shadow and origin
599 /// values. Most instructions propagate shadow from arguments to their
601 /// test their argument shadow and print reports (with a runtime call) if it's
619     Value *Shadow;
623       : Shadow(S), Origin(O), OrigIns(I) { }
690   void storeOrigin(IRBuilder<> &IRB, Value *Addr, Value *Shadow, Value *Origin,
694     unsigned StoreSize = DL.getTypeStoreSize(Shadow->getType());
695     if (isa<StructType>(Shadow->getType())) {
700       Value *ConvertedShadow = convertToShadowTyNoVec(Shadow, IRB);
740       Value *Shadow = SI.isAtomic() ? getCleanShadow(Val) : getShadow(Val);
741       Value *ShadowPtr = getShadowPtr(Addr, Shadow->getType(), IRB);
744           IRB.CreateAlignedStore(Shadow, ShadowPtr, SI.getAlignment());
753         storeOrigin(IRB, Addr, Shadow, getOrigin(Val), SI.getAlignment(),
758   void materializeOneCheck(Instruction *OrigIns, Value *Shadow, Value *Origin,
761     DEBUG(dbgs() << "  SHAD0 : " << *Shadow << "\n");
762     Value *ConvertedShadow = convertToShadowTyNoVec(Shadow, IRB);
813       Value *Shadow = ShadowData.Shadow;
815       materializeOneCheck(OrigIns, Shadow, Origin, InstrumentWithCalls);
826     // blocks, such nodes will not have any shadow value associated with them.
827     // It's easier to remove unreachable blocks than deal with missing shadow.
830     // Iterate all BBs in depth-first order and create shadow instructions
832     // For PHI nodes we create dummy shadow PHIs which will be finalized later.
858     // Insert shadow value checks.
864   /// \brief Compute the shadow type that corresponds to a given Value.
869   /// \brief Compute the shadow type that corresponds to a given Type.
874     // For integer type, shadow is the same as the original type.
907   /// \brief Convert a shadow value to it's flattened variant.
915   /// \brief Compute the integer shadow offset that corresponds to a given
934   /// \brief Compute the shadow address that corresponds to a given application
937   /// Shadow = ShadowBase + Offset
969   /// \brief Compute the shadow address for a given function argument.
971   /// Shadow = ParamTLS+ArgOffset.
990   /// \brief Compute the shadow address for a retval.
1003   /// \brief Set SV to be the shadow value for V.
1005     assert(!ShadowMap.count(V) && "Values may only have one shadow");
1017   /// \brief Create a clean shadow value for a given value.
1019   /// Clean shadow (all zeroes) means all bits of the value are defined
1028   /// \brief Create a dirty shadow of a given shadow type.
1044     llvm_unreachable("Unexpected shadow type");
1047   /// \brief Create a dirty shadow for a given value.
1060   /// \brief Get the shadow value for a given Value.
1067       // For instructions the shadow is already stored in the map.
1068       Value *Shadow = ShadowMap[V];
1069       if (!Shadow) {
1070         DEBUG(dbgs() << "No shadow: " << *V << "\n" << *(I->getParent()));
1072         assert(Shadow && "No shadow for a value");
1074       return Shadow;
1083       // For arguments we compute the shadow on demand and store it in the map.
1104             // ByVal pointer itself has clean shadow. We copy the actual
1105             // argument shadow to the underlying memory.
1147       assert(*ShadowPtr && "Could not find shadow for an argument");
1150     // For everything else the shadow is zero.
1154   /// \brief Get the shadow for i-th argument of the instruction I.
1176   /// \brief Remember the place where a shadow check should be inserted.
1179   /// UMR warning in runtime if the shadow value is not 0.
1180   void insertShadowCheck(Value *Shadow, Value *Origin, Instruction *OrigIns) {
1181     assert(Shadow);
1184     Type *ShadowTy = Shadow->getType();
1186            "Can only insert checks for integer and vector shadow types");
1189         ShadowOriginAndInsertPoint(Shadow, Origin, OrigIns));
1192   /// \brief Remember the place where a shadow check should be inserted.
1198     Value *Shadow, *Origin;
1200       Shadow = getShadow(Val);
1201       if (!Shadow) return;
1204       Shadow = dyn_cast_or_null<Instruction>(getShadow(Val));
1205       if (!Shadow) return;
1208     insertShadowCheck(Shadow, Origin, OrigIns);
1249   /// Loads the corresponding shadow and (optionally) origin.
1284   /// Stores the corresponding shadow and (optionally) origin.
1399   /// \brief Propagate shadow for bitwise AND.
1403   /// corresponding bit in B don't affect the resulting shadow.
1448   /// \brief Default propagation of shadow and/or origin.
1450   /// This class implements the general case of shadow propagation, used in all
1452   /// actually does. It converts all input shadow values to a common type
1465     Value *Shadow;
1472       Shadow(nullptr), Origin(nullptr), IRB(IRB), MSV(MSV) {}
1474     /// \brief Add a pair of shadow and origin values to the mix.
1478         if (!Shadow)
1479           Shadow = OpShadow;
1481           OpShadow = MSV->CreateShadowCast(IRB, OpShadow, Shadow->getType());
1482           Shadow = IRB.CreateOr(Shadow, OpShadow, "_msprop");
1511     /// \brief Set the current combined values as the given instruction's shadow
1515         assert(Shadow);
1516         Shadow = MSV->CreateShadowCast(IRB, Shadow, MSV->getShadowTy(I));
1517         MSV->setShadow(I, Shadow);
1541            "Vector of pointers is not a valid shadow type");
1547   /// \brief Cast between two shadow types, extending or truncating as
1566   /// \brief Cast an application value to the type of its own shadow.
1577   /// \brief Propagate shadow for arbitrary operation.
1591   // shadow left by the required number of bits. Effectively, we transform
1706       // Split shadow into sign bit and other bits.
1709       // Maximise the undefined shadow bit, minimize other undefined bits.
1723       // Split shadow into sign bit and other bits.
1726       // Minimise the undefined shadow bit, maximise other undefined bits.
1737   /// This function does exact shadow propagation for all relational
1771   /// bit of the shadow. Everything else is delegated to handleShadowOr().
1792       Value *Shadow = IRB.CreateICmpSLT(getShadow(op), getCleanShadow(op),
1794       setShadow(&I, Shadow);
1858   /// we will memove the shadow twice: which is bad in case
1872   // Similar to memmove: avoid copying shadow twice.
1912     Value *Shadow = getShadow(&I, 1);
1913     Value *ShadowPtr = getShadowPtr(Addr, Shadow->getType(), IRB);
1917     IRB.CreateAlignedStore(Shadow, ShadowPtr, 1);
2051   // We copy the shadow of \p CopyOp[NumUsedElements:] to \p
2076     // Combine shadow for elements of ConvertOp that are used in this operation,
2078     // FIXME: consider propagating shadow of ConvertOp, at least in the case of
2096     // Build result shadow by zero-filling parts of CopyOp shadow that come from
2200   // Shadow is propagated with the signed variant of the same intrinsic applied
2429       // For inline asm, do the usual thing: check argument shadow and mark all
2468       // Compute the Shadow for arg even if it is ByVal, because
2469       // in that case getShadow() will copy the actual arg shadow to
2474             " Shadow: " << *ArgShadow << "\n");
2511     // Now, get the shadow for the RetVal.
2516     // Until we have full dynamic coverage, make sure the retval shadow is 0.
2535              "Could not find insertion point for retval shadow load");
2565       Value *Shadow = getCleanShadow(RetVal);
2566       IRB.CreateAlignedStore(Shadow, ShadowPtr, kShadowTLSAlignment);
2568       Value *Shadow = getShadow(RetVal);
2569       IRB.CreateAlignedStore(Shadow, ShadowPtr, kShadowTLSAlignment);
2639     // Result shadow if condition shadow is 0.
2653       // Cast arguments to shadow-compatible type.
2657       // Result shadow if condition shadow is 1.
2752     // Everything else: stop propagating and check for poisoned shadow.
2797   // For VarArg functions, store the argument shadow in an ABI-specific format
2803   // MSanParamTLS, and extract shadow on va_arg() call in the argument list
2853   /// \brief Compute the shadow address for a given va_arg.
2905     // Copy va_list shadow from the backup copy of the TLS contents.
2961       // Adjusting the shadow
2978   /// \brief Compute the shadow address for a given va_arg.
3022     // Copy va_list shadow from the backup copy of the TLS contents.
3077   // The instrumentation stores the argument shadow in a non ABI-specific
3123   /// Compute the shadow address for a given va_arg.
3192     // Instrument va_start, copy va_list shadow from the backup copy of
3203       // We need then to propagate the shadow arguments on both regions
3205       // The remaning arguments are saved on shadow for 'va::stack'.
3208       // saved. So to copy the shadow values from the va_arg TLS array
3231       // argument by ignoring the bytes of shadow from named arguments.